CVE-2025-61731

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions cmd/go (affected versions not specified)

Description A malicious file created using cmd/go can result in a write operation to a file controlled by an attacker, with partial control over the file's content. The issue stems from the use of the '#cgo pkg-config:' directive within Go source files. This directive allows command-line arguments to be passed to the Go pkg-config command. An attacker can exploit this by providing a '--log-file' argument, which causes pkg-config to write output to a location specified by the attacker.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-664

Related Identifiers

ALSA-2026:5941

ALSA-2026:5942

ALSA-2026:6949

AZL-78935

BDU:2026-03411

BIT-GOLANG-2025-61731

CVE-2025-61731

ECHO-76A3-60B7-33E7

GO-2026-4339

MGASA-2026-0035

OESA-2026-1698

OESA-2026-1699

OESA-2026-1700

OESA-2026-1701

OESA-2026-1702

OESA-2026-1703

OPENSUSE-SU-2026:10063-1

OPENSUSE-SU-2026:10064-1

OPENSUSE-SU-2026:20077-1

OPENSUSE-SU-2026:20085-1

OPENSUSE-SU-2026:20301-1

OPENSUSE-SU-2026:20308-1

OPENSUSE-SU-2026:20619-1

RHSA-2026:5941

RHSA-2026:5942

RHSA-2026:5943

RHSA-2026:5944

RHSA-2026:6949

RHSA-2026:7291

RHSA-2026:7385

RHSA-2026:7833

RHSA-2026:7834

RHSA-2026:7876

RHSA-2026:7877

RHSA-2026:7878

RHSA-2026:7879

RHSA-2026:7883

SUSE-SU-2026:0218-1

SUSE-SU-2026:0219-1

SUSE-SU-2026:0296-1

SUSE-SU-2026:0297-1

SUSE-SU-2026:0298-1

SUSE-SU-2026:0308-1

SUSE-SU-2026:0354-1

SUSE-SU-2026:20122-1

SUSE-SU-2026:20132-1

SUSE-SU-2026:20623-1

SUSE-SU-2026:20629-1

Affected Products

Red Os

Rocky Linux

CVE-2025-61731

Weakness Enumeration

Related Identifiers

Affected Products

References · 169